SANS Digital Forensics and Incident Response Blog: Tag - file systems

Hal Pomeranz, Deer Run Associates Many years ago, I started this series of blog posts documenting the internals of the EXT4 file system. One item I never got around to was documenting how directories were structured in EXT. Some recent research has caused me to dive back into this topic, and given me an excuse … Continue reading Understanding EXT4 (Part 6): Directories

When discussing malware analysis, I've always referred to 2 main phases of the process: behavioral analysis and code analysis. It's time to add a third major component: memory analysis.

Here's a brief outline of each phase:

Behavioral analysis examines the malware specimen's interactions with its environment: the file system, the registry (if on Windows), the network, as well as other processes and OS components. As the malware investigator notices interesting behavioral characteristics, he modifies the laboratory environment to evoke newcharacteristics. To perform this work, theinvestigatortypically infects the isolated system while having the necessary monitoring tools observe the specimen's execution. Some of the free tools that can help in this analysis phase are Process Monitor,

I've been wiping a lot of media lately. Mostly these are USB devices that we've used to share evidence and other data during an investigation. I want to be sure that I don't accidentally disclose any data from my cases, and I also want to know when I reach into my bag for a USB stick that it's not going to be polluted with other data. And when I get new media (from a vendor, trade show, or whatever) I always have a strict policy of wiping the drive completely from my Linux box (which is specifically configured not to automount new media) before it gets near any Windows machines that might have autoruns enabled.

Happily, Linux makes this whole process quite straightforward with just a few simple command-line tools.

Earlier this year, a life time ago in internet years, I published a series of posts on the FAT file system. Over the next few months, I'll be publishing a similar series on NTFS. Much of the information contained in these posts will come from Brian Carrier's excellent book, File System Forensic Analysis, articles from Microsoft and other sources. Where applicable, specific sources will be cited within each blog post.

Once in a while, a colleague, neighbor or friend will call me in a panic over files they have accidentally deleted from the SSD card in their daughter's camera or worse. In such cases it's often possible to carve out files from the data layer using something like foremost or in a best case scenario, if metadata still exists, sorter can be put to good use to recover the data.

But what about a case where an enterprising perpetrator with above average tech savvy has deliberately altered a partition's metadata in order to inhibit access to the data? I know it's a stretch, but let's say there's a small time drug dealer who carries operational data on a USB stick, but he's altered the metadata in such a way that recovering the files from the USB stick is non-obvious.

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."- Nathon Heck, Purdue

"A great course on timeline, registry, and restore point forensics. SANS is continuing to be the leader on teaching new techniques happening with forensics."- Brad Garnett, Gibson County Sherrif's Dept.